Tens of thousands of defaced MikroTik and Ubiquiti routers available online

Tens of thousands of MikroTik and Ubiquiti routers are currently available online, featuring alarmistic hostnames such as "HACKED FTP server," "HACKED-ROUTER-HELP-SOS-WAS-MFWORM-INFECTED," or "HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD."

In reality, these devices have not been hacked, just defaced, and appear to be the subject of some prank of vigilante's actions. Attackers aren't taking over devices, but merely changing the devices' names (hostnames), as a warning for device owners, hoping that users will take action and secure their routers.

Spotted by Ankit Anubhav, Principal Researcher at NewSky Security, a cyber-security company specialized in IoT security, these benign hacks have been going on since last summer. Speaking to Bleeping Computer, Anubhav says he first spotted these defacements last July, when he found over 36,000 Ubiquiti routers with strange hostnames [1, 2, 3], a number that has grown to over 40,000. The hostnames of the defaced Ubiquiti routers are the same ones used in a 2016 campaign when hackers changed Ubiquiti router logins to username "mother" and password "fucker".

Last year's and the recent Ubiquiti defacements don't appear to change the user's password like in the 2016 campaign, but only the router's hostname. But the Ubiquiti attacks are well known by this point in time, at least in the infosec community. Less known are the recent attacks on MikroTik devices, spotted by Anubhav earlier this week.

Anubhav detected over 7,300 defaced routers, which is about 1.3% of all MikroTik devices available online. The attacks caused some initial panic because nobody knew how they were taking place. An initial analysis led Anubhav and fellow security researcher Dr. Vesselin Bontchev made both experts speculate the attacks were being carried out using an exploit included in the WikiLeaks Vault 7 files (documentation for CIA cyber-weapons).

Last year, a security researcher reverse-engineered this exploit — known as Chimay Red— and published the code on GitHub, forcing MikroTik to issue a firmware update. However, after taking a closer and longer look at the hacked devices, Anubhav noticed that some of the defaced devices were running firmware versions that had been patched against the Chimay Red exploit.

Default credentials are the most likely cause

Things cleared up when both Anubhav found users complaining on the MikroTik forums about defaced devices, admitting they were using default or no credentials. "Looks like somebody made a script that logs into unprotected devices and changes the identity name," said a MikroTik spokesperson. "[MikroTik] RouterOS devices do have a password and firewall by default, but many remove those for unknown reasons."

The vigilante prankster behind the MikroTik attacks could have done much more harm with such a script. Instead, he just opted to rename the router's FTP server hostname to "HACKED FTP server." We understand that running a secure home router is sometimes too difficult for users with no technical skills.